On Thu, Jun 16, 2016 at 06:42:22AM -0400, John Ferlan wrote: > Rather that specify perhaps multiple TLS X.509 certificate directories, > let's create a "default" directory which can then be used if the service > (e.g. for now vnc and spice) does not supply a default directory. > > Since the default for vnc and spice may have existed before without being > supplied, the default check will first check if the service specific path > exists and if so, set the cfg entry to that; otherwise, the default will > be set to the (now) new defaultTLSx509certdir. > > Signed-off-by: John Ferlan <jferlan@xxxxxxxxxx> > --- > src/qemu/libvirtd_qemu.aug | 5 ++++- > src/qemu/qemu.conf | 36 ++++++++++++++++----------------- > src/qemu/qemu_conf.c | 41 ++++++++++++++++++++++++++++++++------ > src/qemu/qemu_conf.h | 2 ++ > src/qemu/test_libvirtd_qemu.aug.in | 1 + > 5 files changed, 60 insertions(+), 25 deletions(-) > > diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug > index 8bc23ba..39b3a34 100644 > --- a/src/qemu/libvirtd_qemu.aug > +++ b/src/qemu/libvirtd_qemu.aug > @@ -24,6 +24,8 @@ module Libvirtd_qemu = > > > (* Config entry grouped by function - same order as example config *) > + let default_tls_entry = str_entry "default_tls_x509_cert_dir" > + > let vnc_entry = str_entry "vnc_listen" > | bool_entry "vnc_auto_unix_socket" > | bool_entry "vnc_tls" > @@ -93,7 +95,8 @@ module Libvirtd_qemu = > let nvram_entry = str_array_entry "nvram" > > (* Each entry in the config is one of the following ... *) > - let entry = vnc_entry > + let entry = default_tls_entry > + | vnc_entry > | spice_entry > | nogfx_entry > | remote_display_entry > diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf > index 7964273..72acdfb 100644 > --- a/src/qemu/qemu.conf > +++ b/src/qemu/qemu.conf > @@ -2,6 +2,16 @@ > # All settings described here are optional - if omitted, sensible > # defaults are used. > > +# Use of TLS requires that x509 certificates be issued. The default is > +# to keep them in /etc/pki/libvirt-default. This directory must contain > +# > +# ca-cert.pem - the CA master certificate > +# server-cert.pem - the server certificate signed with ca-cert.pem > +# server-key.pem - the server private key > +# > +#default_tls_x509_cert_dir = "/etc/pki/libvirt-default" Oh, just remembered we should add a default_tls_x509_verify = 1|0 to control how we set the 'verify-peer' config option on the TLS certs (ie whether we mandate the client provide a x509 cert as a crude form of authorization, as opposed to letting any client conncect). Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list